Third-Party Security Risk Assessments On The Rise For SMBs

Ron Frechette

Cybersecurity Awareness – By Ron Frechette, The Cyber Coach

Over the past decade, enterprise companies have invested millions of dollars in building highly secure and compliant infrastructures to avoid the risks of data theft, lawsuits, penalties for non-compliance, and of most importance, brand damage and loss of business.  This has made it more time-consuming and difficult for cyber criminals to gain access to large enterprise networks. Threat actors were forced to shift their attack vectors towards smaller third-party service providers that are less secure.

Third-Party Risk Study

Apparently, this approach was extremely effective. In 2018, Opus and the Ponemon Institute conducted a third-party ecosystem risk study to understand the challenges companies face in protecting sensitive information shared with third-party vendors. Third parties include any company whose employees or systems have access to a companies’ systems or data (e.g. managed IT service providers, law firms, email providers, web hosting companies, subsidiaries, vendors, sub-contractors).

Some of the key findings revealed the following:

• 61% of US companies said they experienced a data breach caused by one of their vendors or third parties;
• 50% are unaware if supplier safeguards put in place are effective;
• 75% of organizations believe that third-party cybersecurity incidents are increasing;
• 16% attested they effectively mitigate third-party risk.

The study concluded that third-party vendors are one of the fastest-growing risks to an organization’s sensitive data, yet less than half of all companies say managing third-party relationship risks is a priority. These findings caused larger companies to scrutinize the security practices of their current and future third-party service providers.  That led to enterprise adoption of Third-Party Security Risk Assessments (SRAs).  The first step in the process is to have all vendors complete a security questionnaire.

The Security Questionnaire

Towards the latter part of 2018, cybersecurity consulting firms began to receive an increase in calls and emails from small-midsize businesses (SMBs) saying they were receiving letters from their larger clients requesting they complete a security questionnaire.  The primary concerns the SMBs had were not understanding the questions and answering them accurately and completely. This can be an intimidating process for many SMB executives who may not possess the proper security skills.  Enterprise companies may also require vendors to provide evidence of security such as policies and procedures, pen test reports, and remediation plans.  In some cases, they will request to have an onsite security risk assessment.

Top 10 Most Common Security Questions Asked

The following are the most common questions an SMB should be prepared to answer when they receive a security questionnaire:

1. Do you have an Information Security Policy and how often is it updated?
2. Do you have an Information Security Officer that is qualified for the role?
3. Do you conduct annual Security Risk Assessments?
4. Are you conducting annual vulnerability/penetration testing of your network?
5. Do you have an Access Privileges Policy?
6. Do you have a Third-Party Service Provider Security Policy?
7. Do you perform Annual Security Awareness Training with executives and employees?
8. Is your data encrypted in transit and at rest?
9. Can you provide a copy of your Disaster Recovery and Business Continuity Plan?
10. Do you have an Incident Response Plan and is it tested and updated annually?

Cybersecurity Adoption for SMBs

Most SMB executives will admit they may be a bit behind the curve when it comes to having mature IT security, compliance, and privacy programs embedded into their corporate culture. It’s ok!  The fact is, the majority of the SMB world is still behind, as seen in the market bell curve.

The rise in requests for Third-Party Security Risk Assessments will continue to drive SMBs up the bell curve towards cybersecurity adoption, or they risk losing clients and contend with the huge costs and headaches of data theft, lawsuits, penalties for non-compliance, and of most importance, brand damage.

A Case Study

Sixty percent of small-midsize businesses that experience a breach are filing bankruptcy within 6 to 12 months.  The American Medical Collection Agency (AMCA) is a great case study (entering bankruptcy after a data breach) and illustrates how impactful vendor data breaches are, and the widespread effect they have on people and the overall economy.

If you own a small-midsize business or work for one, the time to adopt good cyber hygiene practices is now. Until next month, wishing you a safe journey in cyber space!

Questions?  Email me at [email protected] or send me a tweet @GoldskyRon.

Sources: https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party

https://healthitsecurity.com/news/amca-files-chapter-11-after-data-breach-impacting-quest-labcorp#:~:text=According%20to%20Quest’s%208%2DK,data%20like%20Social%20Security%20numbers.

by

by